Professional Documents
Culture Documents
1
several European nightclubs, and have been less glam- 1.2 RFID Guardian Design Goals
orously deployed for identifying deceased victims of hur-
Over the past months, we have designed and prototyped
ricane Katrina[1].
the RFID Guardian, a system that allows people to ad-
RFID technology thus races on at a pace that surpasses minister the security of their RFID tags. The design of
our ability to control it. The same ease-of-use and per- the RFID Guardian was driven by the following goals,
vasiveness that makes RFID technology so revolutionary which follow from the nature of RFID applications and
offers less-then-ethical characters unprecedented oppor- deployment considerations:
tunities for theft, covert tracking, and behavioral profil-
ing. Without the appropriate controls, attackers can per- • Centralized use and management.
form unauthorized tag reading and clandestine location Most existing RFID countermeasures distribute
tracking of people or objects (by correlating RFID tag their security policies across RFID tags, which
“sightings”). Snooping is possible by eavesdropping on make them very hard to configure, manage, and
tag/reader communications. Criminals can also manip- use. To address this concern, we designed a sin-
ulate RFID-based systems (i.e. retail checkout systems) gle platform to leverage RFID countermeasures in
by either cloning RFID tags, modifying existing tag data, a coordinated fashion. Personalized security poli-
or by preventing RFID tags from being read in the first cies are centrally enforced by utilizing novel RFID
place. security features (auditing, automatic key man-
agment, tag-reader mediation, off-tag authentica-
Security and privacy researchers have proposed a wide tion) together with existing ones (kill commands,
array of countermeasures against these threats. The sleep/wake modes, on-tag cryptography).
simplest solution is deactivating RFID tags; perma-
nently (via “frying”[17], “clipping”[13], or “killing”[4]), • Context-awareness.
or temporarily (using Faraday cages or sleep/wake Different countermeasures have strengths and
modes[20]). Cryptographers have created new low- weaknesses in different application scenarios. Low-
power algorithms for RFID tags, including stream ci- cost Electronic Product Code (EPC) tags require
phers [6], block ciphers[5], public-key cryptographic different access control mechanisms than expensive
primitives[9], and lightweight protocols for authenti- crypto-enabled contactless smart cards. Our sys-
cation [21]. Additionally, researchers have developed tem maintains both RFID-related context (i.e. RFID
access control mechanisms that are located either on tags present, properties and security features, and
tag (hash locks[22] / pseudonyms[10]) or off (Blocker their ownership status), as well as personal context
Tag[11], RFID Enhancer Proxy[12]). (i.e. the user is in a non-hostile environment). Con-
text is then used in conjunction with an Access Con-
Despite this plethora of countermeasures, neither the trol List (ACL) to decide how to best protect the
threats nor the fears facing RFID have dissipated. The RFID tags in question.
countermeasures have become somewhat of a band-aid
that can be slapped onto RFID technology later. Some • Ease-of-use.
companies view these results as a desirable way to quiet People do not want to fuss with an RFID privacy
down the privacy activists. Other companies in RFID device, so our system must be both physically and
standardization committees are actively fighting against operationally unobtrusive. We envision that our sys-
adding security into RFID protocol design, because it tem will be eventually integrated into a PDA or mo-
will make their current commercial offerings obsolete. bile phone, so users will not be burdened with car-
People need a solution that they can physically own and rying an extra physical device. Accordingly, the
use, not one that relies upon the RFID companies to de- RFID Guardian uses an XScale processor and sim-
cide when privacy will become important. ple RFID HW (barely more complex than RFID
HW already found in Nokia mobile phones). Also,
Another missing element is a means to coordinate the system operation was designed to be non-interactive
myriad of incompatible countermeasures as they trickle for default situations, and offers a user interface for
onto the market in a piecemeal fashion. Per-tag secu- the special cases that require on-site configuration.
rity policies combined with a lack of automation will
form a management nightmare for people, who cannot • Real-world useability.
be expected to know when or how to apply the appropri- It is essential that the RFID Guardian work with ac-
ate countermeasures. There is no unified framework; no tual deployed RFID systems. We chose a single
systematic means to leverage individual RFID counter- standard as a proof-of-concept, to prove the tech-
measures to achieve the most important goal of all – the nical feasability our ideas. Our RFID Guardian im-
protection of real people. plementation supports 13.56 MHz (HF) RFID, and
2
is compatible with the ISO-15693[2] standard. This 2.1.1 Scan logging
frequency and standard is used in a wide array of
RFID applications, due to the availablity of rela- Scan logging audits RFID scans in the vicinity, which
tively inexpensive commodity HW. The ideas in this are either displayed (using an LCD or screen) or are
paper can also be extended to other standards or fre- logged for later retrieval. Tag emulation decodes the
quencies, given some extra engineering effort. RFID reader queries prior to logging the 64-bit UID (tag
ID), an 8-bit command code, and annotations (like a 32-
The remainder of this paper is organized as follows. bit timestamp). Query data is logged by default, unless
Section 2 describes the RFID Guardian’s high-level func- the flash memory is almost full.
tionality. Section 3 provides implementation details for Audited RFID scans should be filtered to avoid over-
our RFID Guardian prototype, and Section 4 provides a whelming the user with uninteresting information. For
real-life case study, illustrating the operation of Selec- example, the RFID Guardian might be configured to only
tive RFID Jamming. Performance results are reported in log scans targeting tags “owned” by that individual (see
Section 5. Section 6 presents a discussion of potential next section). Repeatedly polled queries (like inventory
attacks, and Section 7 reviews some related work. Our queries, which ask tags in range to identify themselves)
discussion is then concluded in Section 8. will also generate a lot of noise, so it is best to have the
SW aggregate these queries (e.g. 1000x inventory query
from time t1-t2).
2 System functionality
The RFID Guardian (first introduced in [19]) is a 2.1.2 Tag logging
portable battery-powered device that mediates interac- The RFID Guardian tracks RFID tag ownership and
tions between RFID readers and RFID tags. The RFID alerts individuals of newly appearing (possibly clandes-
Guardian leverages an on-board RFID reader combined tine) tags. Ownership of RFID tags can be transferred
with novel tag emulation capabilities to audit and control explicitly via the user interface or an authenticated RFID
RFID activity, thus enforcing conformance to a central- channel (i.e. while purchasing tagged items at an RFID-
ized security policy. enabled checkout). Ownership of RFID tags can also
The vast majority of RFID readers will not explicitly be transferred implicitly (i.e. when handing an RFID-
interact with the RFID Guardian. Eavesdropping and tagged book to a friend.) The RFID Guardian detects im-
clever tag emulation tactics are necessary to glean infor- plicit tag acquisition by conducting periodic RFID scans,
mation from these readers. However, a small group of and then correlating the tags that remain constant across
RFID readers will have special back-end SW installed, time.
that provides them with an “awareness” of the Guardian.1 The frequency of RFID tag discovery is adjustable.
These RFID readers tend to be in familiar locations (i.e. Given that not all implicit tag acquisitions are desirable,
at home, at the office), and they are intentionally granted the frequency of scanning/correlation/reporting presents
more generous access permissions. These RFID readers a tradeoff between privacy, accuracy, and battery life.
may explicitly cooperate with the Guardian, sending data Our opinion is that infrequent correlation in a controlled
containing authentication messages, context updates, or environment is probably the most useful and least error
secret keys. prone option (i.e comparing RFID tags present at home
The rest of this section describes the design of the at the beginning and end of the day).
RFID Guardian, focusing on four fundamental issues: (i)
auditing, (ii) key management, (iii) access control, and
(iv) authentication. 2.2 Key Management
Modern RFID tags have a variety of security func-
2.1 Auditing tionality, ranging from tag deactivation commands, to
password-protected memory, to industrial-grade cryp-
The RFID Guardian monitors RFID scans and tags in its tography. These security features often require the use
vicinity, serving as a barometer of (unauthorized) RFID of associated key values, which present logistical issues
activity. RFID auditing is a prerequisite for the enforce- because the keys must be acquired, stored, and available
ment of RFID security policies, plus it furnishes individ- for use at the appropriate times.
uals with both the awareness and proof needed to take
The RFID Guardian is well suited to manage RFID
legal recourse against perpetrators of RFID abuse.
tag keys due to its 2-way RFID communications abil-
1 Even these “Guardian aware” readers still use standard RFID hard- ities. Tag key transfer could occur by eavesdropping
ware and air interfaces. on the RFID channel when a reader (for example, an
3
RFID tag “deactivation station”) issues a query contain- context information can be represented via “context up-
ing the desired key information. Additionally, “Guardian dates”, which are arbitrary textual strings that represent
aware” RFID readers can transfer key information ex- some facet of the user’s situation. Context updates could
plicitly over a secure channel, or key values can be man- report anything. For example, an RFID reader at the
ually entered via the user interface. The RFID Guardian front door of a person’s home might inform the RFID
is also an appropriate medium for periodically regener- Guardian that it is now leaving a protected area. Context
ating tag keys, re-encrypting tag data[8], and refreshing updates are provided either by user (via the user inter-
tag pseudonym lists[10]. face), or by authenticated “Guardian aware” RFID read-
ers.
2.3 Access Control
2.3.3 Tag-reader mediation
RFID technologists and privacy activists propose deac-
tivating RFID tags after sale as a means of protecting The RFID Guardian acts as a mediator between RFID
consumer privacy (and corporate liability). However, if readers and RFID tags. Just like a packet filter, the
you consider that RFID tags represent the future of com- Guardian uses Selective RFID Jamming[18] to enforce
puting technology, this proposal becomes as absurd as access control by controlling the communications medi-
permanently deactivating desktop PCs to reduce the in- ation. The RFID Guardian can therefore control access
cidence of computer viruses and phishing. Perhaps RFID for low-cost RFID tags that otherwise might not have any
tags are in fact too much like modern computers – their access control primitives available to them.
default behavior is to indiscriminately transfer data to The RFID Guardian’s selective jamming scheme is
anyone with compatible equipment. The hope is that currently optimized for ISO-15693 tags, which use the
modern security technologies like firewalls and proxies Slotted Aloha anticollision scheme (as opposed to EPC-
can be adapted, to protect hapless RFID tags from them- global’s ’tree-walking’). Selective RFID Jamming uses
selves via central monitoring and managing of the com- tag emulation to decode the incoming RFID reader
munications medium. query, determines if the query is permitted (according to
the ACL), and then sends a short jamming signal that pre-
cisely blocks the timeslot in which the “protected” RFID
2.3.1 Coordination of security primitives tag will give its response.
The RFID Guardian maintains a centralized security pol-
icy that dictates which RFID readers have access to
which RFID tags in which situations. This security pol-
icy is implemented as an Access Control List (ACL). The
ACL resembles one used by a standard packet filter, that
allows or denies RFID traffic based upon the querying
reader (if known), the targeted tag(s), the attempted com-
mand, and the context (if any).
Permitted data types in the ACL are values (i.e.
123), text strings (i.e. ’at home’, ’in a para-
noid mood’), groupings (i.e. assigned groups of
tags/readers/context/commands), and wildcards (123*,
*). The user configures the ACL, and constructs the
groups via the user interface. Figure 2: Selectively Jamming Tag # 2
4
Figure 3: RFID Guardian Prototype
a negligible chance of blocking the incorrect RFID tag our system against commonly used RFID equipment –
responses. This makes the RFID Guardian’s manner of the Philips MIFARE/I.Code Pagoda RFID Reader, with
selectively jamming inventory queries far less-obtrusive Philips I.Code SLI (ISO-15693) RFID tags. This sec-
than the Blocker Tag’s concept of “privacy zones”[11], tion will introduce the hardware and software architec-
which block entire ranges of tag identifiers (regardless of ture that our prototype uses to monitor and protect the
who owns the tag.) RFID infrastructure.
5
Our prototype has a minimalist User Interface (UI) at
the moment – a serial RS-232 interface to the PC host,
which contains an attached keyboard and screen. While
this is sufficient for our proof-of-concept, we plan to
add a more portable UI to the next version of the RFID
Guardian HW.
6
The RFID Guardian prototype utilizes the “active” tag markers (EOF, SOF, JAM), and they can also provide
spoofing approach. Figure 6 shows the signal gener- timing information. eCos also conveniently provides de-
ated by our tag transmitter. The spoofed “sidebands” are vice drivers for the RS-232 “user interface”, which facil-
transmitted at a power-level roughly equal to the reader’s itates a connection to the user’s keyboard and screen.
carrier signal. This has increased the range of our fake
tag responses – from 10 cm to a half meter away!
Protocol Stack Once the device drivers decode bytes
of raw RFID data, the RFID Guardian needs to make fur-
3.2 Software ther sense out of it; e.g. was it an RFID tag replying to
The RFID Guardian is like a watchdog; it sits with a an inventory query, or an RFID reader attempting to read
cocked-ear, waiting for danger to appear. It monitors a data block? The ability to understand RFID communi-
real-world activity, from unexpected RFID scans to clan- cations protocols is a prerequisite for making meaningful
destinely located tags, and reacts in real-time lest these high-level security decisions (e.g. was the reader’s read
dangers remain undetected and undeterred. command authorized?) This is why the RFID Guardian
The RFID Guardian’s SW architecture reflects this contains an implementation of Part 2 (device drivers)
event-driven reality. Besides its real-time core, the and Part 3 (Communications protocol) of the ISO-15693
Guardian’s 12694 lines of code provide device drivers standard.
(for our RFID HW), a protocol stack (ISO-15693), data
storage libraries, high-level system tasks, and application
Data Storage Once RFID communications have been
libraries. The result is 254728 bytes of cross-compiled
interpreted, the internal state of the RFID Guardian is
functionality dedicated to RFID security and privacy pro-
updated by modifying the contents of one or more data
tection.
structures. Generally, this data is stored in the volatile
RAM, but “permanent” data structures are cached into
3.2.1 Operating System Flash when the processor is idle. The Journaling
Flash File System (v2) manages the RFID Guardian’s
The RFID Guardian presents a holistic system to users,
Flash memory, providing filesystem-style access, offline
but lurking below the surface are time-critical SW rou-
garbage collection, balanced erasing of blocks, and crash
tines that require central coordination. The e-Cos Real-
resistance.
Time Operating System (RTOS) takes the place of
taskmaster; it ensures fast and reliable execution, while The data structures themselves collectively reflect the
simplifying developers’ lives by handling threads, ba- high-level functionality of the RFID Guardian. Transient
sic common interrupt handling, and some device drivers data structures include the tag presence list, partially-
(i.e. RS-232 driver). e-Cos was selected primarily for its open authentication list, authenticated session list, con-
availability for the PXA270 microcontroller, but it also text list, and timer activity list. Permanent data structures
proved an excellent choice because it is open-source, free may also include the RFID scan log, access control list,
of licensing costs, and has an active developer commu- reader authentication key list, tag ownership list, and tag
nity. key list.
7
tag responses. This is commonly used for detecting (pos-
"Timer" "UI" "Tag" "Reader" sibly covert) RFID tags, and activating on-tag security
mechanisms, if any.
8
Figure 8: Screenshot During Uninterrupted Query
9
Tag Reader Command Context tack modes.
... ... ... ...
<ownership list> * * *
5.1 Timing Constraints
The RFID Guardian enforces access control decisions on
in our ownership list, and two unknown tags (UID: the behalf of RFID tags, so real-time performance is re-
0xe0040100003b2252 and 0xe0040100003afab9). (See quired under both normal and hostile conditions. After
Figure 8 for a screenshot.) all, blocking a tag response after it has reached the at-
When the RFID Guardian is enabled, the Philips tacker is not very useful.
Reader’s inventory queries are immediately detected. In the upper time-line of Figure 10 we show the timing
These requests are decoded, and the RFID Guardian’s constraints for an inventory request-response sequence
internal logic determines that the query should be as specified by the ISO standard. Like every other
blocked. The Guardian then sends a short (ca. 350µsec) RFID message, the request is framed by a start-of-frame
jamming signal at timeslot 13 of the inventory se- marker (SOF) and an end-of-frame marker (EOF). Be-
quence, since that slot corresponds to the protected tag: tween these markers, an inventory request carries be-
0xe0040100003b0cbd. tween 40 (mask size is 0) and 104 (mask size is 64) data
Only the two unprotected tags are recognized by the bits. After receiving the request EOF, the tag must wait
Philips reader now, and the jamming caused a CRC error for 320.9 µsec before starting its answer. This is the time
that is reported in the lower central pane of the reader’s the RFID Guardian has to interpret reader requests and
user interface (see Figure 9). respond to them.
Debug output from the RFID Guardian illustrates the The lower time-line of Figure 10 shows the measured
processing steps, including the decision to jam at times- performance of the RFID Guardian. After a complete
lot 13: frame is received (SOF, data, and EOF), it needs 23
µsec to wake up the thread that monitors the receiver
1 Request t_eof 76.877230 RFID_INVENTORY(
1a flags=RFID_FRAME_DATA_RATE_FLAG|
and parses the request frame. Immediately before dis-
1b RFID_FRAME_INVENTORY_FLAG), patching the response frame, another 5 µsec of overhead
1c masklen=0x00,mask=0x0; is spent in firing up the transmitter. In between these
2 Inventory: t_eof 76.877230 s->SN 0 s->NbS 16 two events, the RFID Guardian has 320.9 - (23 + 5) =
3 Inventory: t_eof 76.882010 s->SN 1 s->NbS 16
4 Inventory: t_eof 76.886791 s->SN 2 s->NbS 16 292.9 µsec to consult its ACL (and supporting data struc-
5 Inventory: t_eof 76.888304 s->SN 3 s->NbS 16 tures) and decide whether or not to block the RFID tag
6 Inventory: t_eof 76.891568 s->SN 4 s->NbS 16 response.
7 Inventory: t_eof 76.896340 s->SN 5 s->NbS 16 How long this decision takes depends on how the
8 Inventory: t_eof 76.901120 s->SN 6 s->NbS 16
9 Inventory: t_eof 76.905893 s->SN 7 s->NbS 16 RFID Guardian’s ACL is organized. To find a coarse
10 Inventory: t_eof 76.910673 s->SN 8 s->NbS 16 upper bound on the ACL length that can be handled by
11 Inventory: t_eof 76.915446 s->SN 9 s->NbS 16 the Guardian prototype, we chose the slowest possible
12 Inventory: t_eof 76.920225 s->SN 10 s->NbS 16
implementation for the ACL: an unsorted array of UIDs
13 Inventory: t_eof 76.924999 s->SN 11 s->NbS 16
14 Inventory: t_eof 76.929778 s->SN 12 s->NbS 16 that can only be traversed sequentially to locate a specific
15 Inventory: t_eof 76.934552 s->SN 13 s->NbS 16 UID. An RFID request addressed to the last item in the
16 Inventory JAM t 76.934869 on s->SN 13 s->NbS 16 ACL was sent to the Guardian, forcing it to traverse the
16a mask len 0 mask 0x0
17 Inventory: t_eof 76.939330 s->SN 14 s->NbS 16
entire list. With 2600 entries, the Guardian was able to
18 Inventory: t_eof 76.944107 s->SN 15 s->NbS 16 respond in time.
The Guardian prototype is equipped with a powerful
Lines 1-1c report an Inventory request with a mask XScale processor at high clock speed, 520 MHz. To
length 0, and flags indicating a 16-slot inventory se- find out if a Guardian with less processor power would
quence. Lines 2 through 18 report End of Frame (EOF) still be feasible, we varied the clock speed of the XS-
pulses that mark the start of a new timeslot. (s->SN cale. The results are shown in Figure 11. The ACL
indicates the current slot number.) Line 16-16a corre- length that the Guardian could still cope with decreases
sponds with timeslot 13, and it indicates the generation with clock speed, but much less than linearly. This is at-
of a jamming signal. tributed to two causes: memory speed goes down more
slowly and in coarser steps than CPU speed; and parts of
5 Performance Measurements the device processing are independent of CPU speed. At
208 MHz, the Guardian prototype can process ACLs of
This section will analyze the performance of the RFID length 1800, even with this suboptimal ACL implemen-
Guardian, under a variety of resource constraints and at- tation.
10
ISO 15693 time SOF Data EOF Waiting Time Response SOF
constraints
75.52 1510.4 to 3927.04 37.76 320.9 µs
Max. Processing
Input Frame (SOF+Data+EOF) Overhead Time Overhead Response SOF
RFID Guardian
time constraints
1623.68 to 4040.32 23 292.9 5 µs
Of course, with a hash table instead of a linear list, vast would immediately alert the RFID Guardian and it would
numbers of ACLs can be searched in the available 292.9 confuse the tags as well. Attacking between reader com-
µsec. In short, ACL length is not likely to be a problem mands does not constitute a DoS vulnerability of the
even on a very slow XScale. communication channel: it would be the same as a regu-
lar reader action. The attacker could jam the channel, of
3000 course, but then he could not read out any tags, which
is the presumed reason he wants to cripple the RFID
Guardian.
The other potential vulnerability is the limited RFID
2500
Max ACL size
11
To summarize, the RFID Guardian seems immune to ers. However, the REP has some key differences from
the DoS attacks that we can identify, either because they the RFID Guardian. The most important differences
would also disturb regular RFID interaction, or because are as follows. First, the REP explicitly ”acquires” and
the RFID Guardian has enough resources to defend it- ”releases” RFID tag activity, which the Guardian does
self long enough to alarm its owner after the threat has not require. Second, the REP’s two-way communica-
continued for some while. tions channel is ”out-of-band,” which requires extra in-
frastructure. Third, the ”tag relabeling” mechanism re-
quires RFID tags to generate random numbers (or have a
6 Discussion sleep mode), which many of them cannot do (or do not
have). Fourth, the REP is purely theoretical; in contrast
In contrast to the aforementioned Denial of Service at- the RFID Guardian has been implemented and tested.
tacks, there are a number of attacks that are successful
RFID tag auditing (and cloning) are supported by sev-
against the RFID Guardian.
eral devices. FoeBuD’s Data Privatizer[7] will detect
The RFID Guardian faces the ’hidden station’ prob-
RFID scans, find and read RFID tags, and copy data read
lem, which is a geometric problem that depends entirely
to new tags. The Mark II ProxCard Cloner, by Jonathan
upon radio ranges. However, we assume that an attacker
Westhues[23] is a more general-purpose proximity-card
wouldn’t be able to maintain this for long, so we only
cloner, that supports the emulation of several RFID fre-
deal with the “single reader” problem in this paper.
quencies and standards (the HW is elegant, but the SW is
RFID readers could potentially trace the collision pending). Neither of these perform all the auditing, key
space, using collisions to resolve the IDs of RFID management, access control, and authentication func-
Guardian-protected protected RFID tags. We can im- tions that the RFID Guardian does.
prove this situation by adding some extra collisions,
A less sophisticated approach to privacy protection is
which will cause the algorithm to traverse a greater part
to block scans irrespectively of their originating reader.
of the ID space, making it look like more than one pro-
The Blocker Tag (Juels)[11] originated the concept of
tected tag is present.
’RFID blocking’ as a form of off-tag access control. It
Another weakness of the RFID Guardian is its inabil-
is designed to abuse the tree-walk anticollision proto-
ity to jam reader queries. Selective RFID jamming only
col, and RFID readers are forced to traverse the entire
jams tag responses – not queries. However, queries can
id namespace when trying to locate RFID tags. This ap-
modify an RFID tag in unauthorized ways, like perform-
proach does not analyze incoming scans, look up infor-
ing unauthorized data writes, or tag “killing”. Other
mation in an access control list, and depending on what
mechanisms can protect RFID tags from this, like tempo-
it finds, take action as the RFID Guardian does. Also, it
rary tag dectivation PETs (i.e. sleep/wake modes). How-
has not been implemented. (A purely SW-based “soft”
ever, this remains problematic for low cost RFID tags
blocker tag has been implemented, but it expects RFID
that might not support these other modes.
readers to self-regulate their behavior.)
Finally, attackers can evade RFID Guardian protection
An active device that can detect RFID scans is the
by tracking people using tags with pseudonyms. If the
M.I.T. RFID Field Probe[14]. It is a portable device,
RFID Guardian has the pseudonym list (or PRNG seed),
created by Rich Redemske at MIT Auto-ID Center, that
it can correlate the IDs, remaining aware that it is dealing
integrates an RFID tag emulator and sensor probe. The
with only one tag. If the RFID Guardian doesn’t have the
HW consists of a semi-passive tag, a power level detec-
list (or seed), it will think that it is dealing with multiple
tor, and a helper battery. The RFID field probe gives au-
tags that are only observed once. The RFID Guardian
dio and visual representations of the field signal strength
also has trouble dealing with tags working with unknown
and signal quality. However, its function is not to pro-
standards/frequencies.
tect its owner’s privacy, but as a tool to help vendors
determine where on their pallets to attach the RFID tag
7 Related Work to maximize signal strength for supply-chain manage-
ment applications. Consequently, it does not have any-
Given how great the threat of RFID technology is to thing like our software, which is the heart of the RFID
privacy, it is not surprising that other researchers are Guardian’s privacy defense.
also thinking about privacy defenders. Probably the Several other RFID-based technologies support the
closest work to ours is the RFID Enhancer Proxy[12], concept of two-way RFID communications. Near Field
which shares some similarities with the RFID Guardian. Communications[3] is a peer-to-peer RFID-related com-
The REP, too, is an active mobile device that performs munications technology. NFC devices can query RFID
RFID tag security managment, using a two-way com- tags, and can also communicate with other NFC-enabled
munications channel between the REP and RFID Read- devices. However, NFC devices cannot talk with non-
12
Tool Name Tag emulation (SW) Tag emulation (HW) Scan auditing Access control Authentication Implementation
NFC X X
Data Privatizer X X X
Blocker Tag X X X
Field Probe X X X X
ProxCard Cloner X X X X
RFID Enhancer Proxy X X X X
RFID Guardian X X X X X X
NFC enabled RFID readers and do not do privacy pro- Tombeur, Eduard Stikvoort, and Koen Langendoen for
tection. their friendly advice and help.
Finally, the RFID countermeasures described in Sec- This work was supported by the Nederlandse Or-
tion 1.1 are all complimentary to the RFID Guardian, in ganisatie voor Wetenschappelijk Onderzoek (NWO), as
the sense that the RFID Guardian could leverage them project #600.065.120.03N17.
as part of its framework, for helping to provide personal- More information is available at the RFID Guardian
ized access control. However, none of them are discrete project homepage at:
devices that protect privacy.
http://www.rfidguardian.org/
8 Conclusion
References
If we are ever immersed in a sea of RFID chips, the RFID
Guardian may provide a life raft. This battery-powered [1] Hold off on that chip, says thompson,
device, which could easily be integrated into a cell phone http://worldnetdaily.com/news/
or PDA, can monitor scans and tags in its vicinity, warn- article.asp?ARTICLE ID=47853.
ing the owner of active and passive snooping. It can also
do key management, handle access control, and authen- [2] ISO/IEC FDIS 15693, Identification cards – con-
ticate nearby RFID readers automatically, taking its con- tactless integrated circuit(s) cards – vicinity cards,
text and location into account, for example, acting differ- 2001.
ently at home and on the street. Furthermore, it can man-
[3] ECMA-340, Near field communication interface
age access to tags with sensitive content using Selective
and protocol (nfcip-1), Dec 2004.
Jamming. No other device in existence or proposed has
all of these capabilities. The RFID Guardian thus rep- [4] EPCglobal, 13.56 MHz ISM band class 1 radio fre-
resents a major step that will allow people to recapture quency (RF) identification tag interface specifica-
some of their privacy that RFID technology is threaten- tion.
ing to take away.
However, what we have described here is only one [5] Martin Feldhofer, Sandra Dominikus, and Jo-
step. We intend to further develop and improve the hannes Wolkerstorfer, Strong authentication for
RFID Guardian by giving the prototype more capabil- RFID systems using the AES algorithm, Workshop
ities. These capabilities include support for more fre- on Cryptographic Hardware and Embedded Sys-
quencies and standards, improving the communication tems, LNCS, vol. 3156, Aug 2004, pp. 357–370.
range, and simplifying the HW design. We also intend to
further develop the security protocols that are needed for [6] Klaus Finkenzeller, RFID Handbook: Fundamen-
the authentication and key management facilities, think- tals and applications in contactless smart cards and
ing particularly about interaction requirements with the identification, John Wiley & Sons, Ltd., 2003.
surrounding RFID infrastructure.
[7] FoeBuD, Data privatizer, Jul 2005, https:
//shop.foebud.org/product info.
8.1 Acknowledgments php/cPath/30/products id/88.
The authors would like to thank Serge Keijser, Tim [8] P. Golle, M. Jakobsson, A. Juels, and P. Syverson,
Velzeboer, Dimitris Stafylarakis, and Chen Zhang for Universal re-encryption for mixnets, Proceedings
their technical contributions. We also thank Anton of the 2004 RSA Conference, 2004.
13
[9] Johann Großschädle and Stefan Tillich, Design [21] István Vajda and Levente Buttyán, Lightweight au-
of instruction set extensions and functional units thentication protocols for low-cost RFID tags, 2nd
for energy-efficient public-key cryptography, Work- Workshop on Security in Ubiquitous Computing,
shop on RFID and Lightweight Crypto, Jul 2005. Oct 2003.
[10] Ari Juels, Minimalist cryptography for low-cost [22] Stephen Weis, Sanjay Sarma, Ronald Rivest, and
RFID tags, The Fourth International Conf. on Secu- Daniel Engels, Security and privacy aspects of low-
rity in Communication Networks, LNCS, Springer- cost radio frequency identification systems, Secu-
Verlag, September 2004. rity in Pervasive Computing, LNCS, vol. 2802,
2004, pp. 201–212.
[11] Ari Juels, Ronald L. Rivest, and Michael Szydlo,
The blocker tag: Selective blocking of RFID tags [23] Jonathan Westhues, For anything: proxmarkii, Dec
for consumer privacy, Proceedings of the 10th 2005, http://cq.cx/proxmarkii.pl.
ACM Conference on Computer and Communica-
tions Security, ACM Press, 2003.
14